Increasing Operational Resilience Through Decentralization

Cardano Foundation comments on the BIS’ third-party risk management principles

The Bank for International Settlements (BIS), an international standard setter for financial regulation, plays a crucial role in shaping the global regulatory landscape applicable to banks and other financial intermediaries. Among other things, they issue principles and standards for managing third-party risks. Financial institutions regularly outsource certain activities to third-party service providers, allowing them to focus on core business operations while leveraging outside expertise and platform efficiencies (e.g., banking software providers or cloud computing infrastructure).

The BIS’ principles establish guidance around managing respective operational risks and ensuring operational resilience. As these principles serve as the basis for national regulation, they strongly influence which third-party infrastructures and services financial institutions can effectively use for outsourcing. Formulating such standards too narrowly risks restricting the use of decentralized architectures such as blockchain. That is why, in October 2024, the Cardano Foundation participated in a public consultation on BIS’ latest update to the principles, advocating for an open, non-discriminatory, and proportionate regulatory approach.

We now highlight the key arguments and recommendations presented in our response, with the full version published here.

Strengthening operational resilience through technological neutrality

Operational resilience remains essential not only for financial institutions but for all critical infrastructure in this digital age. We believe that decentralized, open-access digital infrastructures like public, permissionless blockchains—including Cardano—can help mitigate key risks in today’s financial markets.

Open and diverse financial markets should empower institutions to make architectural choices based on their unique needs, free from regulatory constraints that favor legacy (centralized) models. By allowing institutions to explore a range of approaches and technologies, regulators can foster competitive innovation and support the emergence of the most effective and resilient solutions for evolving operational and risk management needs.

While all forms of infrastructure architecture come with trade-offs, decentralized systems bring several unique advantages that strengthen operational resilience and support a more adaptable financial system.

• •Avoidance of Single-Entity Dependencies: Decentralized systems reduce reliance on any single entity for operations, minimizing risks associated with single-point failures and vendor lock-in. This is especially important given the concentration of cloud computing services in the hands of only a few large providers.
• •Enhanced Resilience: By distributing data processing and control across multiple nodes, decentralized architectures offer higher reliability, fault tolerance, and security, often outperforming traditional centralized infrastructures.
• •Transparency and Auditability: Decentralized systems maintain an immutable, tamper-proof ledger, allowing real-time data assurance, reducing reconciliation costs, and lessening dependence on auditors, thereby lowering operational costs.
• •Composability and Open-Source Development: Modular design and open-source development give financial institutions flexibility, enabling custom solutions, lowering switching costs, and fostering innovation.
• •Lower Barriers to Entry and Cost Reduction: Decentralized infrastructures reduce transaction costs and operational overhead by minimizing intermediaries. With maintenance costs distributed among participants, such platforms are more accessible and cost-efficient in the long term.

Rethinking counterparty-centric risk management

The BIS’ current third-party risk principles rely on the assumption of an identifiable counterparty, often limiting financial institutions to centralized services. Decentralized infrastructures, however, are designed without a central controlling entity. This characteristic makes it challenging to apply traditional counterparty-based risk management standards.

Despite this, financial institutions can manage risks in decentralized systems through a combination of alternative approaches, providing similar levels of assurance.

• •Infrastructure Design and Code Base Evaluation: Institutions can assess the technical foundation and code integrity of decentralized infrastructures, focusing on operational and security standards rather than on a contractual counterparty.
• •Collective Risk Assurance: By conducting targeted due diligence on key participants like node operators and developers, institutions can create a collective risk framework, distributing responsibilities, and ensuring critical tasks are managed without reliance on a single entity.
• •Direct Participation: Institutions can actively participate in decentralized networks by running nodes, engaging in governance, and building in-house expertise. This involvement enhances control, aligns network evolution with institutional priorities, and reduces reliance on third parties.

A technologically neutral risk management framework should enable financial institutions to leverage decentralized infrastructures by allowing these alternative risk mitigation strategies, supporting both innovation and operational resilience in the financial sector.

Conclusion and recommendations

The BIS’ third-party risk principles currently favor traditional, centralized service models by requiring a single legal counterparty for outsourcing arrangements. This approach limits financial institutions' ability to leverage decentralized infrastructures, which offer significant advantages in resilience, security, and cost efficiency. A counterparty-centric model inherently restricts technological neutrality and stifles innovation, preventing decentralized solutions from fully contributing to the financial system.

To enable a more inclusive and resilient framework, we recommend:

• •Technological Neutrality: Revise the principles to avoid bias toward centralized models, allowing institutions to choose technologies based on their risk profiles and operational needs without the need for a centralized service provider.
• •Alternative Risk Management Approaches: Allow decentralized infrastructures to adopt tailored risk mitigation methods, such as thorough code base assessments, collective risk assurance, and participation by diverse network participants.
• •Direct Participation for Risk Mitigation: Encourage institutions to actively engage with decentralized infrastructures by running nodes, participating in governance, and contributing to development, collectively enhancing control and reducing third-party reliance.

By adopting a more flexible, technologically neutral regulatory framework, the BIS can support the development of more resilient, efficient, and innovative financial markets.